Day 2 of Cyberweek 2019 hosted a fascinating conference on the threats facing IoT devices - and all of us.
In a busy hospital in a major American city, a nightmare scenario plays out: Hackers have penetrated the hospital’s network and seized control of a host of connected devices throughout the facility. Cardiac patients are suddenly in grave danger as their wireless pacemakers come under the control of hackers, and in the neonatal intensive care unit, nurses and doctors clamor to supervise and treat infants whose fetal heart monitors have been disabled in the ransomware attack.
IoT cybersecurity can seem like an industry that traffics in nightmare scenarios, but the ones presented on Monday during the “Securing the IoT” conference on Monday at Cyber Week 2019 were especially alarming.
In a presentation titled “Hacking the Future of Healthcare”, Beau Woods, a white hat hacker from the grassroots cybersecurity organization “IamTheCavalry”, spoke about the threats posed by attackers who target health care institutions for ransomware attacks.
Woods said that if a pacemaker is seized by a hacker, the only way to stop the hack is to cut the pacemaker out of the person, and described the very harrowing experience of watching a demo of such a procedure performed on a dummy.
Woods said that while for hospitals, cost is always a concern, “there’s a whole lot more we could be doing in areas where human life and public safety are being impacted.” He also cited a 2017 study by the Department of Health and Human Services (HHS) Health Care Industry Cybersecurity Task Force that described the dire condition of health care cybersecurity, which it called “a key public health concern that needs immediate and aggressive attention.”
Besides the high cost of implementing cybersecurity solutions, a big part of the problem is also the ease with which connected devices can be compromised.
“The Ultimate IoT Weapon”
Mark Harrison of Pen Test Partners described how easy it is to hack into a wireless tea kettle or take control of a talking “Cayla” doll and make it say whatever you want.
He was just getting started.
While there are only so many people with smart tea kettles, there are already more than 1 million smart thermostats in the United Kingdom, and several times more in the United States. Harrison referred to smart thermostats as “the ultimate IoT weapon” and asked for the audience to picture being at home on a freezing winter day with your kids, when a message pops up on your smart thermostat: You suck! Pay 1 bitcoin to get control back.
And while most hackers are looking to steal data, if you’ve ever had your A/C go out during a heat wave, then you can imagine how a device like a smart thermostat can be the perfect platform for a ransom attack.
Why is it so easy to hack these devices? According to Harrison, this is partly because users don’t tend to think of the dangers, and often don’t bother to change the default passwords on their IoT devices.
Much of the problem is structural and gets to the very essence of what IoT devices are.
As Olivier Daloy, Information Systems Security Director at Faurecia put it “we are taking a system that already existed and introducing cybersecurity by design in something that was not meant to be secure against anything coming in.”
In other words, tea kettles and mouse traps existed long before anyone thought to put them online – or had even heard of the internet – and now we need to play catch up.
Your Company’s Cybersecurity Rating: A New Paradigm?
When cybersecurity experts talk, a recurring sensation is a sort of sentiment that wider industry doesn’t take security seriously enough, though this may be changing. Anjali Bastianpillai, Senior Product Specialist at Pictet spoke of the speed with which contemporary technology advances, saying that just a little over a decade ago “cybersecurity was people hacking to try to get famous.” Basitianpillai said that she believes that in the coming years, companies will start to see their corporate rating “as a weaker measurement than their cybersecurity rating.”
According to Meashe Patel, Senior Policy Adviser HMG Department for Digital, Culture, Media and Sport, by 2020 there will be 12.9 billion consumer IoT devices in use. Patel also spoke of the cybersecurity guidelines published by the UK government in June 2018 and February 2019 which call for cybersecurity by-design in IoT devices and lay out the minimum set of measures that should be taken – and exceeded – for companies and departments to stay safe. These include steps such as making sure that software is regularly patched and setting technical policies and controls for software that interacts with sensitive information.
“Three IoT devices for every person on Earth”
A 2017 Gartner report predicted that there will be 20 billion “internet-connected things” by 2020, or more or less three devices for every man, woman, and child on Earth. The report stated that these devices “will have a great impact on the economy by transforming many enterprises into digital businesses and facilitating new business models, improving efficiency and increasing employee and customer engagement.”
The wide-scale adoption of IoT devices bears great promise, but the dangers to personal safety and privacy are immense. If Monday’s conference at Cyberweek was any indication, the experts and the white hats are on board, it’s now just up to consumers and manufacturers to fully grasp the dangers, and act accordingly.